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Amendments to the Claims 

1 Claim 1 (currently amended): A computer program product for enabling an identhy change 

2 during a certificate-based host access session, said computer program product embodied on a 

3 computer-readable medium and comprising: 

4 computer-readable program code means for processing a first sign^n during a secure 

5 ses^on using a digital certificate, further comprising: 

6 computer-readable program code means for establishing said secure session from a 

7 client machine to a server machine using said digital certificate, wherdn said digital certificate 

8 represents an identity of said client machine or a user thereof; 

9 computer-readable program code means for storing said digital certificate or a 
X 0 reference thereto at said server machine; 

1 1 computer-readable program code means for establishing a session from said server 

1 2 machine to a host system using a legacy host communication protocol, responsive to receiving, at 

13 said server machine, a first sign-on request from said client machine, wherdn said first sign-on 

1 4 request identifies a first secure legacy host application to which said first sign-on is requested; 

1 ^ computer-readable program code means for passing said stored digital certificate 

16 or said reference from said server machine to a host access security system; 

1 7 computer-readable program code means, operable in said host access security 

1 8 system, for authenticating said identity using said passed digital certificate or a retrieved 

1 9 certificate which is retrieved using said reference; 

2 0 computer-readable program code means, operable in said host access security 

2 1 system, for using said passed or retrieved digital certificate to locate access credentials for said 
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22 user, 

2 3 computer-readable program code means, operable in $aid host access security 

2 4 syst^, for accessing a stored password or generating a password substitute representing said 

2 b located credentials; 

2 6 computer-readable program code means, operable in said host access security 

2 7 system, for returning said stored password or generated password substitute lo said server 

2 8 machine, along with a first user identifier corresponding to said located credentials; 

29 computerrreadable program code means for requesting by said first secure legacy 

30 host application, responsive to said computer-readable program code means for establishing said 

31 session, first sign-on information for said user, and 

32 computerrreadable program code means for responding to said request for first 

33 sign-on information by sending a first sitm-on message with placeholder syntax from said client 

34 machine to said server machine, said placeholder syntax representing a user jHftntifjr^tion and a 

35 password of said user, wherein said user identification and said password are expected in said first 

36 sigiiron message by sdd first secure legacy host application: and 

3*7 computer^readable program code means, operable in said server machine, for using 

3 8 said remmed password or password substitute and said returned first user identifier to 

39 transparently complete said first sign-on, on behalf of said user of said client machine, to said first 

4 0 secure l^acy host application executing at said host system by substitutmg said returned first user 

41 identifier and said returned password or password substitute for said placeholder syntax in said 

42 Brsx sign-on message, thereby creating a revised first sign-on message, and forwarding said 

43 revised fi r^t signnjii message fi-om said server machine to said first secure legacy host application : 
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44 and 

4 5 computer-readable program code means for processing a second sign-on during said 

4 6 secure session, without requiring establishment of a new secure session between said client 

4 7 machine and said server machine, using a second distal certificate that represents a second 

4 8 identity, further comprising: 

4 9 computer-readable program code means for receiving a second sign -on request, at 
50 said server machine from said client machine, wherein: (1) said second sign-on request identifies 
b 1 a second secure legacy host application to which said second sign-on is requested; (2) said second 

52 signHDn request includes said second digital certificate, or a second certificate reference that 

53 references said second digital certificate, for said second identity; (3) said secoiKl secure legacy 
b4 host application may be identical to said first secure legacy host application; and (4) said second 

5 5 identity is for a second user, wherrin said second user may be identical to said user; 

^ 6 computer-readable program code means for pas^g said second digital certificate 

57 or said second certificate reference from said server machine to said host access security system; 

58 computer-readable program code means, operable in said host access security 

59 system, for authenticating said second identity using said passed second digital certificate or a 

60 second retrieved certificate which is retrieved using said second certificate reference; 

^ ^ computer-readable program code means, operable in said host access security 

62 system, tor uang said passed second digital certificate or said second retrieved certificate to 

63 locate second access credentials for said second user, 

64 computer-readable program code means, operable in said host access security 

65 system, for accessing a second stored password or generating a second password substitute 
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6 6 representing said second located credentiais; 

67 computer-readable program code means, operable in said host access security 

68 system, for returning said second stored password or second generated password substitute to 

69 said server machine, along with a second user identifier corresponding to said second located 

70 credentials; and 

71 computer*readable program code means, operable in said server machine, for using 

72 said returned second password or second password substitute and said returned second user 

73 identifier to transparently complete said second sign-on, on behalf of said second user of said 

7 4 client machine, to said second secure legacy host application executing at said host system, 

1 Claim 2 (previously presented); The computer program product as claimed in Claim 1, wherein 

2 said digital certificate and said second digital certificate are X.509 certificates and said digital 

3 certificate reference and second certificate reference are references to an X.509 certificate. 

1 Claim 3 (original): The computer program product as claimed in Claim I, wherein said 

2 communication protocol is a 3270 emulation protocol 

1 Claim 4 (original): The computer program product as claimed in Claim 1, wherein said 

2 communication protocol is a 5250 emulation protocol. 

1 Claim 5 (original): The computer program product as claimed in Claim 1, wherein said 

2 communication protocol is a Virtual Terminal protocol. 
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1 Claim 6 (original): The computer program product as claimed in Claim 3, wherein said host 

2 access security system is a Resource Access Control Facility (RACF) system. 

1 Claim 7 (previously presented): The computer program product as claimed in Claim 1, wherein 

2 said computer-readable program code means for processing said second sign-on ftxrther comprises 

3 computer-readable program code means for storing said second digital certificate at said server 

4 machine. 



Claim 8 (canceled) 



1 Claim 9 (currently amended): A system for enabling an identity change during a certificate-based 

2 host access session, comprising: 

3 means for processing a first sign-on during a secure session using a digital certificate, 

4 fiirther comprising: 

5 means for establishing said secure session from a client machine to a server 

6 machine using said digital certificate, wherein said digital certificate represents an identity of said 

7 client machine or a user thereof; 

B means tor storing said digital certificate or a reference thereto at said server 

9 machine; 

1 0 means for establishing a session from said server machine to a host system using a 

1 1 l^acy host communication protocol, responsive to receiving, at said server machine, a first sign- 
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12 on request from said clieni machine, wherein said first sign-on request identifies a first secure 

1 3 legacy host application to which said first agn-on is requested; 

14 means for passing said stored digital certificate or said reference from said server 

1 5 machine to a host access security system; 

1 6 means, operable in said host access security system, for authenticating said identity 

17 using said passed digital certificate or a retrieved certificate which is retrieved using said 

1 8 reference; 

1 9 means, operable in said host access security system^ for using said passed or 
2 0 retrieved digital certificate to locate access credentials for said user; 

2 1 means, operable in said host access security system, for accessing a stored 

22 password or generating a password substitute representing said located credentials; 

2 3 means, operable in said host access security system, for returning said stored 

2 4 password or generated password substitute to said server machine, along with a first user 

2 5 identifier corresponding to said located credentials; 

26 means for requesting bv said first secure legacy host application^ responsive to said 

27 computer-^readable program code meansJorjestablishina said session, first sian^on information for 

28 said user: and 

29 means for responding to said request for first^jgnron information bv sending a first 

30 sitm-on message with placeholder syntax fi-pm said clien t Tnarhinft to said server machine, said 

31 Placeholder syntax representing a user identification and a password_of said user, wherein said 

32 user identification and said password are expected in said first sign-on message bv said first secure 

33 kpacv host application: and 
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34 means, operable in said server machine, tor using said returned password or 

35 password substitute and said returned first user identifier to transparently complete said first sign- 

36 on, on behalf of said user of said client machine^ to said first secure legacy host application 

37 executing at said host system bv substituting said returned first user identifier and said returned 

38 password or password substitute for said placehold^ syntax in said first sign>on message, thereby 

39 creating a revised first sipn-on message, and forwardinf^ said revised first si^-on message fi-om 

40 said server machine to said first secure legacy host application :: and 

4 1 means for processing a second sign-on during said secure session, without requiring 

42 establishment of a new secure session between said client machine and said servM- machine, using 

43 a second digital certificate that represents a second identity, fiirther comprising; 

4 4 means for receiving a second sign-on request, at said server machine fi-om said 

4 5 cliem machine, wherein: (I ) said second sign-on request identifies a second secure legacy host 

4 6 application to which said second sign-on is requested; (2) said second sign-on request inchides 

4 7 said second digital certificate, or a second certificate reference that references said second dijptal 

4 8 certificate, for said second identity; (3) said second secure legacy host application may be identical 

49 to said first secure legacy host application; and (4) said second identity is for a second user, 

b 0 wherein said second user may be identical to said user, 

5 1 means for passing said second digital certificate or said second certificate reference 

52 fi-om said server machine to said host access security system; 

53 means, operable in said host access security system, for authenticating said second 
b 4 identity using said passed second digital certificate or a second retrieved certificate which is 

55 retrieved using said second certificate reference; 
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56 means, operable in said host access security system, for u^ng said passed second 

57 digital certificate or said second retrieved certificate to locate second access credentials for said 

58 second user; 

59 means, operable in said host access security system, for accessing a second stored 

60 password or generating a second password substitute representing said second located 

61 credentials; 

62 raeanSj operable in said host access security system, for returning said second 

63 stored password or second generated password substitute to said server machine, along with a 

64 second user identifier corresponding to said second located credentials; and 

65 rneans, operable in said server machine, for using said returned second password 

66 or second password substitute and said returned second user identifier to tran^)arently complete 

67 said second sign-on, on behalf of said second user of said client machine, to said second secure 

68 legacy host application executing at said host systeoL 

1 Claim 10 (previously presented): The system as claimed in Claim 9, wherein said digital 

2 certificate and said second digital certificate are X.509 certificates and said digital certificate 

3 reference and second certificate reference are reterences to an X.509 certificate. 

1 Claim 1 1 (origitial); The system as claimed in Claim 9, wherein smd conmnmication protocol is a 

2 3270 emulation protocol 

1 Claim 12 (original): The system as claimed in Claim 1 1 » wherein said host access security system 
Serial No. 09/619,912 -9- Docket RSW9-2000-0081-US I 
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2 is a Resource Access Control Facility (RACF) system. 

1 Claim 13 (previously presented): The system as claimed in Claim 9, wheran said means for 

2 processing said second sign-on ftirther comprises means for storing said secoiKl digital certificate 

3 at said server machine. 

Claim 14 (canceled) 

1 Claim 15 (currently amended): A method for enabling an identity change during a certificate- 

2 based host access session, comprising the steps of; 

3 processing a first sign-on during a secure session using a digital certificate, further 

4 comprising the steps of: 

5 establishing said secure session from a client machine to a server machine using 

6 said digital certificate, wherein said digital certificate represents an identity of said client machine 

7 or a user thereof; 

8 storing said digital certificate or a reference thereto at said server machine; 

9 establishing a session from said server machine to a host system using a legacy 

1 0 host communication protocol responsive to receivings at said server machine, a first sign-on 

1 1 request firom said client machine, wherein said first sign-on request identifies a first secure legacy 

1 2 host application to which said first sign-on is requested; 

1 3 passing said stored digital certificate or said refierence from said server machine to 

14 a host access security system; 
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1 ^ authenticating, by said host access security system, said identity using said passed 

1 6 digital certificate or a retrieved certificate which is retrieved usiT»g said reference; 

1 7 using, by said host access security system, said passed or retrieved digital 

1 8 certij&cate to locate access credentials for said user; 

^ ^ accessing, by said host access security system, a stored password or geoeratmg a 

2 0 password substitute representing said located credentials; 

2 1 returning, by said host access security system, said stored password or generated 

22 password substitute to said server machine, along with a first user identifier corresponding to said 

23 located credentials; 

24 requesting by said first secure iegacv host application responsive to said 

25 computer-readable program code m eans for establishing said session, first sign-on information for 

26 said user: and 

27 rest>onding to said request for first sign-on information by j^nHin y a first sign-on 

28 fflsssage with placeholder svmax fro m said client machine to said server machine, said placeholder 

29 syntax repreRentinfy a uScr identification and a password of said user, wherein said user 

30 identification and said p assword are expected in said first sign-on message bv said first secure 

31 legacy host application: and 

32 using, by said server machine, said returned password or password substitute and 

3 3 said returned first user identifier to transparently complete said first sign-on, on behalf of said user 

34 of said client machine, to said first secure legacy host application executing at said host system by 

35 substituting said retu rned first user identifier and said returned password or password substhute 

36 for said placeholder syntax in said first sian^n message, thereby creating a revised first sign-on 
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37 message, and forwardin g said revised first sign>on message from said server machine to said first 

38 secure leteacv host application :: and 

^ ^ processing a second sign-on diiring said secure session, without requiring establishment of 

40 a new secure session between said client machine and said server machine, using a second digital 

4 1 certificate that represents a second identity, further comprising the steps of 

^2 receiving a second sign-on request, at said server machine from said client 

43 machine, wherein: (I) said second sign-on request identifies a second secure i^acy host 

44 apphcation to which s^d second sign-on is requested; (2) said second sign-on request includes 

4 b said second digital certificate^ or a second certificate reference that references said second digital 

4 6 certificate, for said second identity; (3) said second secure legacy host application may be identical 

4 7 to said first secure legacy host application; and (4) said second identity is for a second user, 

4 8 wherein said second user may be identical to said user, 

^ passing said second digital certificate or said second certificate reference from said 

50 server machine to said host access security system; 

^'^ authenticating, by said host access security system, said second identity using said 

52 passed second digital certificate or a second retrieved certificate which is retrieved using said 

5 3 second certificate reference; 

using, by said host access security system, said passed second digital certificate or 

bb said second r^ieved certificate to locate second access credentials for said second user; 

accessing, by said host access security system, a second stored password or 

5 y generating a second password substitute representing said second located credentials; 

returning, by said host access security system, said second stored password or 
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5 9 second generated password substitute to said server machine, along with a second identifier 

60 corresponding to said second located credentials; and 

61 using, by said server machine, said returned second password or second password 

62 substitute and said returned second user identifier to transparently complete said second sign-on, 

63 on behalf of said second user of said client machine, to said second secure legacy host application 

6 4 executing at said host system. 

1 Claim 16 (previously presented): The method as claimed in Claim 15^ wherein said digital 

2 certificate and said second digital certificate are X.509 certificates and said digital certificate 

3 reference and second certificate reference are ret^srences to an X509 certificate. 

1 Claim 17 (original): The method as claimed in Claim 15, wherein said communication protocol is 

2 a 3270 emulation protocol 

1 Claim 18 (original): The method as claimed in Claim 17, wherein said host access security system 

2 is a Resource Access Control Facility (RACF) system. 

1 Claim 1 9 (previously presented): The method as claimed in Claim 15, wherein said step of 

2 processing said second sign-on fijrther comprises the step of storing said second digital certificate 

3 at said server machine. 

Claim 20 (canceled) 
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1 Claim 21 (currently amended): The computer program product a$ claimed in Claim 1, wherein: 

2 said computer-readable program code means for processing said second sign-on further 

3 comprises computer-readable program code means for receiving, at said server machine, a second 

4 sign-on message sent from said client machine, wherein said second sign-on message has 

5 p lac e fa oW cr s placeholder^ntax representing a user identification of said second user and a 

6 password of said second use r, wherein said user identification of said second user and said 

7 password of said second user are expected in said second sian-on message bv said second secure 

8 legacy host application: and 

9 said computer-readable program code means for using said returned second password or 

1 0 second password substitute and said returned second user identifier to transparently conq)lete said 

1 1 second sign-on further comprises: 

1 2 computer-readable program code means for substituting said returned second user 

1 3 identifier and said returned second password or second password substitute for said p laceh o ld er s 

14 placeholder syntax in said second sign-on message, thereby creating a revised second sign-on 

1 5 message; and 

1 6 computer-readable program code means for forwarding said revised second sign- 

17 on message from said server machine to said second secure legacy host application. 

1 Claim 22 (previously presented): The computer program product according to Claim 1, wherein 

2 said second sign-on request includes information usable as proof that said second user owns said 

3 second digital certificate. 
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1 Claim 23 (previously presented): The computer program product according to Claim 22, wherdn 

2 said proof further comprises a random seed value and a sequence number concatenated thereto by 

3 said client machine to detect replay attacks, wherein said random seed value was previously sent 

4 from said server machine to said client machine. 

1 Claim 24 (previously presented): The computer program product according to Claim 23, wherein 

2 said identification of said second secure legacy host application is also concatenated to said 

3 random seed value. 

1 Claim 25 (previously presented): The computer program product according to Claim 23, wherein 

2 a digital signature computed using a private key associated with said second digital certificate is 

3 incKided in said second sign-on request, said digital signature covering said random seed value 

4 and said concatenated sequence number. 

1 Claim 26 (previously presented): The computer program product according to Claim 24, wherein 

2 a digital signature computed using a private key associated with said second digital certificate is 

3 included in smd second sign-on request, said digital signature covering said random seed value, 

4 said concatenated sequence number, and said concatenated identification of said second secure 

5 legacy host application. 

1 Claim 27 (currently amended): The system as claimed in Claim 9, wherein: 
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2 said means for processing said second sign-on fiirther comprises means for receiving, at 

3 said server machine, a second sign-on message sent from said client machine, wherein said second 

4 sign^n message has placeholdei ' s placeholder syntax representing a user identification of said 

5 second user and a password of said second user, wherdn said user identification of said second 

6 user and said password of said second user are expected in said second sigovon message by said 

7 second secure legacy host application : and 

8 said means for using said returned second password or second password substitute and 

9 said returned second user identifier to transparently complete said second sign-on further 

1 0 comprises: 

1 1 means for substituting said returned second user identifier and said returned 

12 second password or second password substitute for said p laceh o ld er s placeholder syntax in said 

1 3 second sign-on message, therd^y creating a revised second sign-on message; and 

1 4 means for forwarding said revised second sign-on message fiom said server 

1 5 machine to said second secure legacy host application. 



1 Claim 28 (currently amended): The method as claimed in Claim 15, wherein: 

2 said step of processing said second sign-on fiirther comprises the step of receiving, at said 

3 server machine, a second sign-on message sent fi-om said client machine, wherein said second 

4 sign-on message has p lace ho l der s placehoJder syntax representing a user identification of said 

5 second user and a password of said second use r, wherein said user identification of said second 

6 user and said password of said second user are expected in said second &iim-on message by said 

7 second secure lepacv host application: and 
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8 said step of using said returned second password or second password substitute and said 

9 returned second user identifier to transparently complete said second sign-on further comprises 

10 the steps of: 

1 1 substituting said returned second user identifier and said returned second password 

12 or second password substitute for said p laceh o ld er s placeholder syntax in said second sign-on 

13 message, thereby creating a revised second sign-on message; and 

1 4 forwarding said revised second sign-on message from said server machine to said 

1 5 second secure legacy host application. 



1 Claim 29 (currently amended): A computer-implemented method for enabling an identity change 

2 during a certificate-based host access session, comprising steps of: 

3 establishing a secure session between a client and a server using a digital certificate owned 

4 by a user of said client; 

5 remembering said digital certificate at said server; 

6 completing a first sign-on to a host application^ by said server on behalf of said user, 

7 responsive to receiving an asynchronous sign-on request from said client that identifies said host 

8 application, further comprising the steps of: 

9 using said remembered digital certificate to authenticate said user to a host access 

10 security component; 

1 1 if said user is authenticated, locating, by said host access security component, 

12 access credenti^s of said user^ 

1 3 creating, by said host access security component, a passticket that represents said 
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1 4 located access credentials; 

1 5 returning said passticket from said host access security componeat to said server, 

1 6 along with a user identifier associated with said located access credentials^ and 

1 7 inserting, by said server, said passticket and said user identifier into a log-on 

1 8 message in place of placeholders th erefor for a user password and said user identifier, when said 

1 9 log-on message is received at said server from said client, thereby creating a revised log-on 

20 messapc . in a form expected by said host application, that is then sent from said server to sign said 

2 1 user on to said host application; and 

22 completing a second sign-on to a second host application, by said server on behalf of a 

2 3 second user, responsive to receiving a second asynchronous sign-on request trom said client that 

2 4 identifies said second host application, wherein said second host application may be identical to 

2 5 said host application and said second user may be identical to said user, further comprising the 

2 6 steps of: 

2 7 using a new digital certificate and proof therefor to authenticate said second user 

28 to said host access security component, wherein said new digital certificate and said proof 

2 9 therefor are included in said second asynchronous sign-on request; 

30 if said second user is authenticated, locating, by said host access security 

3 1 component, access credentials of said second user; 

32 creating, by said host access security component, a second passticket that 

3 3 represents said located access credentials of said second user; 

34 returning said second passticket from said host access security component to said 

3 b server, along with a second user identifier associated with said located access credentials of said 
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3 6 second user; and 

37 inserting, by said server, said returned second passticket and said returned second 

3 8 US&: ideatifier into a second log-on message in place of placeholders tker&fof for a second user 

3 9 password and said second user identifier - when said second log-on message is received at said 

4 0 server from said client, thereby creating a revised second log-on messati e- in said form expected 

4 1 bv said second host application, that is then sent from said server to sign said second user on to 

42 said second host application. 

1 Claim 30 (new): A method of providing identity change during a secure session, comprising steps 

2 of: 

3 upon receiving a first log-on message containing placeholder syntax from a client during a 

4 secure session, substituting therefor a first user identitier and a first password substitute provided 

5 by a host access security system upon authentication of user credentials associated with the client 

6 and with a user thereof, thereby creating a revised first log-on message in a form expected by a 

V first legacy host application, the first password substitute representing access privileges associated 

8 with the user credentials for the first legacy host application; 

9 forwarding the revised first log-on message to the first legacy host application for 

1 0 completing a secure sign-on thereto; 

1 1 upon receiving a second log-on message containing placeholder syntax from the client 

12 during the secure session, substituting therefor a second user identifier and a second password 

1 3 substitute provided by die host access security system upon authentication of second user 

1 4 credentials associated with the client and with the user thereof or a different user thereof, thereby 
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15 creating a revised second log-on message in a form expected by a second legacy host application, 

16 the second password substitute representing access privileges associated with the second user 

1 7 credentials for the second legacy host application^ wherein the second legacy host application may 

18 be identical to the first legacy host application; and 

1 9 forwarding the revised second log-on message to the second l^acy host application for 
2 0 completing a secure sign-on thereto. 
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